Instructions The Case – A Digital Forensic Investigation Plan Summary: Delta Fin
ID: 3840205 • Letter: I
Question
Instructions The Case – A Digital Forensic Investigation Plan Summary: Delta Financial Services (DFS) is a multinational company that provides financial services for employees, individuals and companies. DFS employs around 250 employees and the company serves more than 3 million customers in Australia and New Zealand. DFS has invested heavily in information technology for supporting its business operations and achieving competitive advantages over its competitors. Major investments were made by the company in the early 2000s but management has lost focus in updating the networks and application infrastructure that supports the business operation in recent years. The network environment between all of DFS offices is flat and relatively unrestricted. Users from one office can access systems and servers from another office. Workstations and servers are typically Macintosh-based. Firewalls and network segmentation are implemented poorly throughout the environment. Intrusion detection and logging exist on systems but they are not effectively used. John Stuart at the Perth office comes in to work early one day and when he connects to his server, he finds that someone is already connected with several windows open. As he stares at it, the window disconnects. He connects again, but is logged out. He calls the IT manager, who follows a plan for such incidents. This includes disabling John's account and examining server security logs. He finds the IP address of the computer that is connected to John's computer and finds it belongs to a computer used to run a data projector at the New Zealand office. He rings the New Zealand office to identify the user of the computer and the logs of who has swiped into the secure building. There were four people in the building at the time, but one has since swiped out and called in sick – Tom Wills. A swift meeting with management concludes that Tom has at least violated company policy by accessing a colleague's account, but are unsure if he has violated any other policy or engaged in criminal activity, such as embezzlement. They wish to investigate and find out the extent of Tom's activities, if others are involved, who is affected and whether criminal charges need to be laid. A team of auditors is formed by the Information Security Office to investigate the incident at the New Zealand office. Apart from reviewing paper based company documents, the auditing team is tasked to undertake digital forensic analysis of the computer systems at the Perth office. This involves gathering digital evidence from relevant desktop PC’s and e-mail accounts. Requirements: As part of the auditing team in capacity of a Digital Forensics expert, your task is to prepare digital forensics investigative plan to enable a systematic collection of evidence and subsequent forensic analysis of the electronic and digital data. Assuming all systems are Macintosh-based, this plan should detail the following: • propose the appropriate digital forensic methodology for the investigation and provide justification for proposing this digital forensic methodology • describe the resources required to conduct a digital forensic investigation, including skill sets and required tools of the team members. • outline an approach for data/evidence identification and acquisition that would occur in order to prepare the auditors for review of the digital evidence. • outline an approach and steps to be taken during the analysis phase making the assumption the computer system is a Macintosh-based computer. • outline an approach to recover the files that have been deleted from the computer. • develop relevant security policies for the company. • provide recommendations to the company for dealing with the problem. Tips for preparing your digital forensics investigative plan In writing the digital forensics investigative plan, students need to address the following points. Do note that points listed below are not exhaustive and need to be considered as helpful tips. • Justify a need for digital forensics methodology and consider scope of the case including nature of alleged misconduct leading to consideration of how electronic and digital evidence may support the investigation. The plan should consider how digital forensics differs from other techniques (such as network forensics, data recovery) and detail the overall steps for the systematic digital forensics approach. • Consider the required resources and include details regarding preparation plan for evidence gathering (such as evidence forms, types, storage media and containers), forensics workstation and peripherals needed, software/tools for analysis depending on the type of evidence to be gathered including rationale for selected tools, and consideration of team member skills in digital analysis (such as OS knowledge, skills for interviewing, consultation, working as per the needs of the auditing team and understanding of law and corporate policies). • Detail the approach for data acquisition including the different types of evidence that can be gathered and their source depending upon the nature of the case and scope of investigation, develop a plan for data acquisition including rationale for selected plan and contingency planning, detail type of data acquisition tools needed including rationale and an outline for the data validation & verification procedures. • Provide an outline of the forensic analysis procedures/steps depending upon the nature of evidence to be collected, and detail the validation approach. This can include techniques to counter data hiding, recovering deleted files, procedures for network and e-mail analysis. • Provide an outline of the approach to recover the files that have been deleted from the computer. • Develop suitable security policies for the company. • Provide appropriate recommendations to the company for dealing with the problem. • Prepare a professional report with an Executive Summary, a Word generated table of contents, an Introduction, a body of report with proper headings and sub-headings, and a Conclusion. COIT20267 Assessment item 2 – Case study Criteria Performance levels Beginning 1 Developing 2 Improving 3 Accomplished 4 Exemplary 5 Score Justification – Is the justification of “why use of the digital forensic methodology and approach is warranted” sound? Resources – Are the resources required to conduct a digital forensic investigation completely listed? Approach – Is the approach for evidence identification and acquisition reasonable? Steps – Are steps to be taken during the analysis phase reasonable? Recovery - Are steps to be taken during the recovery phase reasonable? Policies – Are they suitable for the company? Recommendations – Are they appropriate? References – Are the references correctly cited? Formatting and readability – Is the paper consistently formatted with balanced structure? Total Comments: Marker: Date:
Explanation / Answer
Accepted methods and procedures to properly seize, safeguard, analyze data and determine what happen. Actionable information to deal with computer forensic cases. Repeatable and effective steps. It’s a good way to describe the SANS methodology for IT Forensic investigations compelled by Rob Lee and many others. It is an 8 steps methodology. It will help the investigator to stay on track and assure proper presentation of computer evidence for criminal or civil case into court, legal proceedings and internal disciplinary actions, handling of malware incidents and unusual operational problems. Furthermore, is a good starting point in order to have a reasonable knowledge of forensic principles, guidelines, procedures, tools and techniques.
The purpose of these 8 steps is to respond systematically to forensic investigations and determine what happen. Also is important to consider that a computer forensic investigation goes hand in hand with computer incident handling and is normally a break-off point of the containment phase.
Below are short and high level intoduciton to 8 Computer Forensic Investigation steps:
Verification: Normally the computer forensics investigation will be done as part of an incident response scenario, as such the first step should be to verify that an incident has taken place. Determine the breadth and scope of the incident, assess the case. What is the situation, the nature of the case and its specifics. This preliminary step is important because will help determining the characteristics of the incident and defining the best approach to identify, preserve and collect evidence. It might also help justify to business owners to take a system offline.
System Description: Then it follows the step where you start gathering data about the specific incident. Starting by taking notes and describing the system you are going to analyze, where is the system being acquired, what is the system role in the organization and in the network. Outline the operating system and its general configuration such as disk format, amount of RAM and the location of the evidence.
Evidence Acquisition: Identify possible sources of data, acquire volatile and non-volatile data, verify the integrity of the data and ensure chain of custody. When in doubt of what to collect be on the safe side and is better to rather collect too much than not. During this step is also important that you prioritize your evidence collection and engage the business owners to determine the execution and business impact of chosen strategies. Because volatile data changes over time, the order in which data is collected is important. One suggested order in which volatile data should be acquired is network connections, ARP cache, login sessions, running processes, open files and the contents of RAM and other pertinent data – please note that all this data should be collected using trusted binaries and not the ones from the impacted system. After collecting this volatile data you go into the next step of collecting non-volatile data such as the hard drive. To gather data from the hard drive depending on the case there are normally three strategies to do a bit stream image: using a hardware device like a write blocker in case you can take the system offline and remove the hard drive ; using an incident response and forensic toolkit such as Helix that will be used to boot the system ; using live system acquisition (locally or remotely) that might be used when dealing with encrypted systems or systems that cannot be taken offline or only accessible remotely. After acquiring data, ensure and verify its integrity. You should also be able to clearly describe how the evidence was found, how it was handled and everything that happened to it i.e. chain of custody.
Timeline Analysis: After the evidence acquisition you will start doing your investigation and analysis in your forensics lab. Start by doing a timeline analysis. This is a crucial step and very useful because it includes information such as when files were modified, accessed, changed and created in a human readable format, known as MAC time evidence. The data is gathered using a variety of tools and is extracted from the metadata layer of the file system (inode on Linux or MFT records on Windows) and then parsed and sorted in order to be analyzed. Timelines of memory artifacts can also be very useful in reconstructing what happen. The end goal is to generate a snapshot of the activity done in the system including its date, the artifact involved, action and source. The creation is an easy process but the interpretation is hard. During the interpretation it helps to be meticulous and patience and it facilitates if you have comprehensive file systems and operating system artifacts knowledge. To accomplish this step several commercial or open source tools exists such as the SIFT Workstation that is freely available and frequently updated.
Media and Artifact Analysis: In this step that you will be overwhelmed with the amount of information that you could be looking at. You should be able to answer questions such as what programs were executed, which files were downloaded, which files were clicked on, witch directories were opened, which files were deleted, where did the user browsed to and many others. One technique used in order to reduce the data set is to identify files known to be good and the ones that are known to be bad. This is done using databases like the Nation Software Reference Library from NIST and hash comparisons using tools like hfind from the Sleuth Kit. In case you are analyzing a Windows system you can create a super timeline. The super timeline will incorporate multiple time sources into a single file. You must have knowledge of file systems, windows artifacts and registry artifacts to take advantage of this technique that will reduce the amount of data to be analyzed. Other things that you will be looking is evidence of account usage, browser usage, file downloads, file opening/creation, program execution, usb key usage. Memory analysis is another key analysis step in order to examine rogue processes, network connections, loaded DLLs, evidence of code injection, process paths, user handles, mutex and many others. Beware of anti-forensic techniques such as steganography or data alteration and destruction, that will impact your investigation analysis and conclusions.
String or Byte search: This step will consist into using tools that will search the low level raw images. If you know what you are looking then you can use this method to find it. Is this step that you use tools and techniques that will look for byte signatures of know files known as the magic cookies. It is also in this step that you do string searches using regular expressions. The strings or byte signatures that you will be looking for are the ones that are relevant to the case you are dealing with.
Data Recovery: This is the step that you will be looking at recover data from the file system. Some of the tools that will help in this step are the ones available in the Sleuth Kit that can be used to analyze the file system, data layer and metadata layer. Analyzing the slack space, unallocated space and in-depth file system analysis is part of this step in order to find files of interest. Carving files from the raw images based on file headers using tools like foremost is another technique to further gather evidence.
Reporting Results: The final phase involves reporting the results of the analysis, which may include describing the actions performed, determining what other actions need to be performed, and recommending improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process. Reporting the results is a key part of any investigation. Consider writing in a way that reflects the usage of scientific methods and facts that you can prove. Adapt the reporting style depending on the audience and be prepared for the report to be used as evidence for legal or administrative purposes.
The resources and that are required to conduct a digital forensic is given as bwlo:
. An effective network and computer Forensics are required for performing various kind of work within the company, these tasks includes troubleshooting operational problems, investigating inappropriate behavior and crimes, supporting due diligence to maintain audit record, recovering from the accidental damage etc.
. The team which handling the incident must have more than one member who will be able to perform each type of forensic activity. IT and Hands-on exercises including training courses of forensic are very helpful for creating and maintaining the skills as they can demonstrate the new technologies and tools.
.The policies should be applied to the person who is authorized for monitoring the network and system and perform the investigation process for the above-mentioned case under favorable circumstances. The company also must have the separate forensic policy for the persons who handle the incident investigation. The policy must clearly define the responsibility and role of each person who took part in the investigation process of the incident. The organization’s policy must explain what action should be performed under different situations and must address the utilization of the anti-forensic techniques and tools
Skill Sets & Tools
Computer forensic analysts must be familiar with standard computer operating systems, networks and hardware as well as security software and document-creation applications. Analysts must have expertise in hacking and intrusion techniques and prior experience with security testing and computer system diagnostics. As their title suggests, analysts are expected to have excellent analytical skills, to be highly conscious of details and to be able to multi-task efficiently. A degree of Bachelor of computer science and certification in Forensic computer examiner is desired for any forensic analysts.
----->>>>>Below are few forensics tools which help in various categories:<<<<<<---------
Disk and data capture tools
File viewers
File analysis tools
Registry analysis tools
Internet analysis tools
Email analysis tools
Mobile devices analysis tools
Mac OS analysis tools
Network forensics tools
Database forensics tools
------>>>>>>The approach for digital data identification and acquisition should be as follows:>>>>>>--------
Colleciton
1. Collection process is the identification of data, followed by labeling the data then recording it.
2. Forensic tool identification to collect and gather all the digital forensic data.
3. Gather all possible information from the emails, files of MS-Word, Spreadsheets, Outlook, etc.
4. Information access from routers, switches, firewalls, topology of the network, servers and diagrams of the network.
5. Network information through the live network traffic, through various tools like ‘netmon’ tool, etc.
Examination
.Examination of the collected information must be done using the forensic investigation tools.
Analysis
Once the examination phase is completed, all the examined data is analyzed in detail. The analysis of the data includes many of the activities done by the audit team. The activities to list out are,
Unusual application request analysis
Unusual and hidden file analysis and if exists, unusual open socket analysis is to be followed
Analysis of unusual accounts
Analysis of malicious activities during some period before and after the suspect of the compromise
Updated level analysis
Patching level system analysis
Complete timeline activities analysis
Complete file system analysis
Complete memory analysis
Detailed malware analysis, both in static and dynamic methods through prefetch, registry, log examinations and analysis
After the detailed analysis is done, all the findings are to be clearly noted with all the necessary digital evidences.
Report
By this phase, all the collection, examination and analysis of the data from the workstations and servers are done. The options of the sources of the compromise are narrowed down to find the exact source of compromise. After determining the exact source, the team has to draft and prepare the final report. The report can be made in many of the ways. The report has to be created clearly as a written report.
----->>>>>An approach to recover the files that have been deleted from the computer.<<<<<<-----
One should not expect to find all user information sitting in the default folder or default location for a given type of file (e.g. Application Data or similar folder). Searching the entire hard disk is required in order to locate all unencrypted log and history files.
In reality, locating any one of the files is an obvious exercise. As applications such as instant messengers or email clients have to have access to their working files, they store files’ locations somewhere in the Windows registry or in their own configuration files. One must know a lot about each application being analyzed, which includes literally hundreds of messengers, e-mail clients, peer-to-peer applications, and browsers.
The principle of deleted file recovery is based on the fact that Windows does not wipe the contents of the file when it’s being deleted. Instead, a file system record storing the exact location of that file on the disk is marked as “deleted.” The disk space previously occupied by the file is then advertised as available, but not overwritten with zeroes or other data.
By analyzing the file system and/or scanning the entire hard drive looking for characteristic signatures of known file types, one can successfully recover not only files that were deleted by the user, but also discover evidence such as temporary copies of Office documents (including old versions and revisions of such documents), temporary files saved by many applications, renamed files, and so on. Information stored in deleted files can be supplemented with data collected from other sources.
Information from hard drives that were formatted by the user may be recoverable through data carving or by using a commercial data recovery tool. However, the recovery of formatted hard drives is iffy and depends on a wide set of parameters.
Solid-state drives represent a new storage technology. They operate much faster compared to traditional hard drives. SSD drives employ a completely different way of storing information internally, which makes it much easier to destroy information and much more difficult to recover it.Traditional forensic methods fail when attempting recovering information deleted from SSD drives, or trying to recover anything from an SSD drive formatted with either Quick or Full format.Information may still be available if the TRIM command was not issued. This can happen if at least one of the many components does not support TRIM. The components include: version of operating system (Windows Vista and Windows 7 support TRIM, while Windows XP and earlier versions typically don’t); communication interface (SATA and eSATA support TRIM, while external enclosures connected via USB, LAN or FireWire don’t); the file system (Windows supports TRIM on NTFS volumes but not on FAT-formatted disks; Linux, on the other hand, supports TRIM on all types of volumes including those formatted with FAT).
Data Carving
Carving stands for bit-precise, sequential examination of the entire content of the hard drive. Carving allows locating various artifacts that would not be available otherwise. The concept of carving is different from the concept of file recovery, even if such recovery is based on signature-search algorithms. With carving, investigators do not rely on files as they may be partially overwritten, fragmented and scattered around the disk. Instead, carving looks for particular signatures or patterns that may give a clue that some interesting data can be stored in a particular spot on the disk.
Carving is truly indispensable when looking for destroyed evidence. Traditional hard drives may store bits of deleted data (or even entire files) for a long time after the file’s been deleted. Sometimes even formatting the disk several times still leaves information that was originally stored on the disk.
Encrypted Volumes
Disk encryption tools such as BitLocker, PGP and TrueCrypt set industry standard in the area of whole disk encryption. Any of these tools can provide strong, reliable protection, offering a perfect implementation of strong crypto. Normally, an investigator will need to know the original plain-text password protecting the encrypted volume. With many users selecting long, complex passwords, brute-forcing access to one of these volumes is a dead proposition.
However, the very fact that a long, complex password is used presents a way to break into these crypto containers. It’s human nature to keep things easy. Typing a long, complicated passphrase every time the user requires access to a file stored on an encrypted volume is not easy. Most users will opt to typing the password just once after the PC loads. The encrypted container will remain “open” and readily accessible during the entire session. Quite obviously, what’s kept open can be unlocked with an appropriate tool such as the recently released Elcomsoft Forensic Disk Decryptor.
The tool works by extracting actual encryption keys (as opposed to user-selected passphrase) from the computer’s memory (Live RAM analysis), Windows page file or hibernation file.
---------->>>>>Relavant security policies for a company<<<<<<<<<------------
Acceptable Use Policy Password Policy
Backup Policy Network Access Policy
Incident Response Policy
Email Policy Guest Access Policy
Wireless Policy Third Party Connection Policy
Network Security Policy Encryption Policy
Confidential Data Policy Data Classification Policy
Mobile Device Policy Retention Policy
Outsourcing Policy Physical Security Policy
Virtual Private Network (VPN) Policy